Key Performance Indicators (KPIs) are widely known and used. When it comes to Key Risk Indicators (KRIs), however, things look rather differently. KRIs are early warning signs indicating change in the risk profile of a company. They enable top management to identify potential risks in the internal and external business environment that may affect the company’s ability to achieve its strategic and operational goals early on and take active countermeasures. KRI systems are an important element of an effective strategic risk management process. Nevertheless, many companies either don’t use them at all or only insufficiently. So, what should be kept in mind when developing KRI systems?
Developing and monitoring KRIs should be an integral part of the strategic planning process. Within strategy development, for each corporate goal the associated internal and external risks first need to be identified, analyzed, categorized, and prioritized according to their likelihood of occurrence and potential impact on the company. There are basically three types of strategic risks that may jeopardize successful strategy implementation: demand risks, competitive risks, and risks relating to the capabilities of the company. To be able to recognize and assess these risks properly, various sources of information and expertise inside and outside the company should be used.
The next step is to identify and define for each major risk those KRIs that best describe and measure them (relevance). This should be limited to 1-3 KRIs per risk. In addition, appropriate thresholds for action need to be established for each KRI. Where these thresholds are exactly depends very much on the individual risk appetite of the company and should be decided on by top management given the importance of KRIs for achieving strategic goals.
Finally, as part of strategy implementation, the selected KRIs need to be continuously monitored and managed. Dashboards which visually display the most important information are particularly useful for this purpose. Also, it is advisable to assign risk owners and establish clear lines of communication. Risk owners should be subject experts coming from inside or outside the organization.
If the established thresholds are exceeded, there is need for action. Possible strategic responses to an increased risk exposure include revising or abandoning strategies, risk mitigation activities, explicit countermeasures, or lowering expectations based upon the changed circumstances. Finally, the KRIs should be regularly checked for relevance and timeliness. New KRIs may need to be added and old ones redefined or removed.
Besides relevance there are a number of other aspects that should be considered when choosing KRIs. KRIs should be quantifiable, verifiable, and easy and efficient to measure. This does not mean, though, that they have to be purely objective. KRIs can also involve subjective assessments which, after all, are particularly helpful in identifying changes in the corporate environment, provided they are independently quantifiable and verifiable. A good example of a qualitative KRI would be negative media coverage which could pose a reputation and, eventually, demand risk for a company. Here, variables, such as the quality and reliability of the information sources, the frequency and timing of the news coverage, and the severity level of content may be rated and measured using scales (e. g., low, medium, high) and then aggregated to a meaningful risk score.
In addition, KRIs should be a good mix of leading and lagging indicators. Leading indicators help to predict future events and risks before they occur, thereby enabling proactive risk management. Leading indicators can be identified by pinpointing the risk drivers that influence the probability of occurrence and the impact on the company. For example, a rising number of young adults in Western markets that no longer obtain a driver license would be an early warning signal for decreasing future demands for cars in those markets. Lagging indicators, however, are based on historical trend data. They are, therefore, well suited for retrospective analysis.
In summary, a robust, IT-based KRI system helps companies to anticipate future opportunities and risks and manage them proactively. It increases their agility as well as their chances to actually achieve their strategic goals.